Host Discovery

This page describes exactly what the Infracast Agent discovers on each host and how that data is reported and used.

Discovery Cycle

Every scan cycle (default: 5 minutes), the agent runs all enabled collectors in parallel:

graph LR
    A[Scan Trigger] --> B[Processes]
    A --> C[Ports]
    A --> D[Software]
    A --> E[Firewall]
    A --> F[Connections]
    A --> G[Users]
    A --> H[File Integrity]
    B & C & D & E & F & G & H --> I[Compile Report]
    I --> J[POST /api/v1/agents/{id}/report]

Package Manager Discovery

The agent queries every supported package manager and consolidates results into a unified software inventory.

Linux Package Managers

Package Manager	Discovery Method	Example
`apt` / `dpkg`	`dpkg-query -W -f='${Package} ${Version}'`	`openssl 3.0.2-0ubuntu1.9`
`yum` / `dnf` / `rpm`	`rpm -qa --queryformat '%{NAME} %{VERSION}-%{RELEASE}'`	`httpd 2.4.57-5.el9`
`pip` / `pip3`	`pip list --format=json`	`requests 2.28.2`
`npm` (global)	`npm list -g --json --depth=0`	`pm2 5.3.0`
`gem`	`gem list --no-versions` + `gem info`	`rails 7.1.2`
`cargo`	`cargo install --list`	`ripgrep 14.0.3`
`go`	GOPATH binary scanning + `go version -m`	`golang.org/x/crypto v0.17.0`

Windows

Source	Discovery Method
Installed Programs	Registry: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall`
32-bit Programs	Registry: `HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall`
Per-user Programs	Registry: `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall`
Windows Features	`Get-WindowsFeature` (Server) / `Get-WindowsOptionalFeature`

macOS

Source	Discovery Method
Homebrew	`brew list --versions`
Applications	`/Applications/*.app` → `Info.plist`
pip / npm / gem	Same as Linux

Reported Fields per Package

{
  "name": "openssl",
  "version": "3.0.2",
  "source": "apt",
  "installed_at": "2024-01-15T10:00:00Z",
  "cves": ["CVE-2023-5678"]
}

Running Processes and Services

What's Collected

{
  "pid": 1234,
  "name": "nginx",
  "user": "www-data",
  "cmdline": "/usr/sbin/nginx -g daemon off;",
  "cpu_percent": 0.5,
  "memory_mb": 12,
  "status": "running",
  "parent_pid": 1,
  "start_time": "2026-04-01T00:00:00Z"
}

Linux Process Collection

Source: /proc/{pid}/status, /proc/{pid}/cmdline, /proc/{pid}/stat
Runs as: root (required for full cmdline access of other users' processes)
Captures: all processes visible in /proc

Windows Process Collection

Source: WMI Win32_Process class
Runs as: SYSTEM or Administrator
Captures: all processes, service names, executable paths

Systemd Services (Linux)

On systems with systemd, the agent also collects service state:

{
  "name": "nginx.service",
  "status": "active",
  "enabled": true,
  "description": "A high performance web server"
}

Network Configuration

Listening Ports

Identifies all ports with active listeners — key for attack surface mapping:

{
  "port": 443,
  "protocol": "tcp",
  "address": "0.0.0.0",
  "pid": 1234,
  "process": "nginx"
}

Address	Meaning
`0.0.0.0`	Listening on all interfaces (internet-facing risk)
`127.0.0.1`	Localhost only (lower risk)
`10.0.0.5`	Specific interface
`::`	IPv6 all interfaces

Collection method:

Linux: /proc/net/tcp, /proc/net/tcp6, /proc/net/udp + inode-to-pid mapping
Windows: GetExtendedTcpTable, GetExtendedUdpTable

Active Connections

{
  "local_address": "10.0.0.5:443",
  "remote_address": "203.0.113.42:52341",
  "state": "ESTABLISHED",
  "pid": 1234,
  "process": "nginx"
}

Connection states: ESTABLISHED, TIME_WAIT, CLOSE_WAIT, LISTEN, SYN_SENT

Network Interfaces

{
  "name": "eth0",
  "mac": "02:ab:cd:ef:12:34",
  "ipv4": ["10.0.0.5/24"],
  "ipv6": ["fe80::1/64"],
  "mtu": 9001,
  "state": "up"
}

Firewall Rules

Linux (iptables)

The agent dumps all iptables chains and rules:

{
  "chain": "INPUT",
  "action": "ACCEPT",
  "protocol": "tcp",
  "source": "0.0.0.0/0",
  "destination": "0.0.0.0/0",
  "dport": "22",
  "comment": "SSH access"
}

Also supports nftables on systems that have migrated.

Windows Firewall

{
  "name": "Allow HTTPS Inbound",
  "direction": "Inbound",
  "action": "Allow",
  "protocol": "TCP",
  "local_port": "443",
  "enabled": true,
  "profile": "Domain,Private,Public"
}

User Accounts and Sudo Access

Local Users

{
  "username": "deploy",
  "uid": 1001,
  "gid": 1001,
  "home": "/home/deploy",
  "shell": "/bin/bash",
  "last_login": "2026-04-15T10:30:00Z",
  "password_status": "set"
}

The agent reads /etc/passwd on Linux and Get-LocalUser on Windows. Passwords are never collected — only metadata.

Sudo Access (Linux)

{
  "user": "deploy",
  "sudo_rules": ["ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx"]
}

Collected by parsing /etc/sudoers and /etc/sudoers.d/*. This feeds directly into STIG and CIS compliance checks.

File Integrity Monitoring

When enabled, the agent computes SHA-256 checksums of configured files:

{
  "path": "/etc/ssh/sshd_config",
  "sha256": "a1b2c3d4...",
  "size_bytes": 3226,
  "modified_at": "2026-03-01T08:00:00Z",
  "permissions": "0644",
  "owner": "root",
  "group": "root"
}

Change detection: When a file's checksum changes between scans, Infracast creates a finding tagged config-drift. The finding includes the previous and new hash for audit trail purposes.

Report Submission

After each scan, the agent submits a complete report to the server:

POST /api/v1/agents/{agentID}/report

The server:

Updates the host's asset graph node with the latest data
Correlates software packages against the CVE/NVD database
Creates or resolves findings for newly discovered or remediated issues
Updates SBOM for the host
Triggers compliance re-evaluation if applicable

Reports are compressed (gzip) before transmission. A typical Linux server report with ~200 packages is approximately 50 KB compressed.

Asset Graph Integration

Agent data enriches existing nodes in the asset graph. For example, an EC2 instance discovered by the AWS plugin gains additional properties from the agent:

aws:us-east-1:ec2.instance:i-0abc123
├── Properties (from AWS plugin)
│   ├── instance_type: t3.medium
│   ├── vpc_id: vpc-abc
│   └── security_groups: [...]
└── Agent Data (from Infracast Agent)
    ├── software: [nginx 1.24.0, openssl 3.0.2, ...]
    ├── listening_ports: [80, 443]
    ├── running_services: [nginx, sshd, ...]
    └── cves: [CVE-2023-XXXX (HIGH)]

This combined view gives you the complete picture of each host — cloud metadata plus real runtime state.

Discovery Cycle​

Package Manager Discovery​

Linux Package Managers​

Windows​

macOS​

Reported Fields per Package​

Running Processes and Services​

What's Collected​

Linux Process Collection​

Windows Process Collection​

Systemd Services (Linux)​

Network Configuration​

Listening Ports​

Active Connections​

Network Interfaces​

Firewall Rules​

Linux (iptables)​

Windows Firewall​

User Accounts and Sudo Access​

Local Users​

Sudo Access (Linux)​

File Integrity Monitoring​

Report Submission​

Asset Graph Integration​